Information
Host devices can be directly exposed to containers at runtime. Do not directly expose host devices to containers especially for containers that are not trusted.
Rationale:
The --device option exposes the host devices to the containers and consequently, the containers can directly access such host devices. You would not require the container to run in privileged mode to access and manipulate the host devices. By default, the container will be able to read, write and mknod these devices. Additionally, it is possible for containers to remove block devices from the host. Hence, do not expose host devices to containers directly.
If at all, you would want to expose the host device to a container, use the sharing permissions appropriately:
r - read only
w - writable
m - mknod allowed
Solution
Do not directly expose the host devices to containers. If at all, you need to expose the host devices to containers, use the correct set of permissions:
For example, do not start a container as below:
docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rwm --device=/dev/temp_sda:/dev/temp_sda:rwm centos bash
For example, share the host device with correct permissions:
docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rw --device=/dev/temp_sda:/dev/temp_sda:r centos bash
Impact:
You would not be able to use the host devices directly within the containers.
Default Value:
By default, no host devices are exposed to containers. If you do not provide sharing permissions and choose to expose a host device to a container, the host device would be exposed with read, write and mknod permissions.